In this section, you can find credit unions and research general and financial information. Other statistics, data, and reports include the archived Quarterly Call Reports, Financial Performance Reports, and Share Insurance Queries.

This section details the laws and regulations that govern NCUA-insured credit unions. Here you can access current and proposed regulations, regulatory alerts and policy statements, as well as guides, manuals and forms.

View the latest news, media and events at NCUA, including newsletters, speeches, and press releases.

Page Content

CYBER SECURITY RESOURCES

NCUA recognizes the importance of cyber security and using the web safely and securely.

The information on this page is offered as resources for research and informational purposes. It may not reflect all of the requirements or guidance in this area and should not be construed as requirements except as noted. NCUA does not endorse any vendor, service, or product.

When you access the links below, you might leave NCUA's site.

NCUA Regulations and Guidance

The Examiner's Guide sets out guidance for an examiner on NCUA's examination and supervision of credit unions. The primary goal is to ensure the overall safety and soundness of the credit union system via a risk-focused examination and supervision program. Chapter 6 provides guidance on information systems and technology.

NCUA has updated its IT examination questionnaires to facilitate an increased risk focused review of a credit union’s information technology environment. The updated IT questionnaire workbook consists of two tiers: Tier I questionnaires focuses on the highest priority review areas, including electronic banking, while Tier II questionnaires are designed to address more technical network, security, and related technology issues. The new IT questionnaires now include a second workbook with two questionnaires for generalist examiners to review credit union information security programs, electronic banking security, and website compliance. Please note that most questions include comments to provide additional context or terminology for better comprehension.

Federal Government Requirements and Guidelines

Special Publications in the 800 series present documents of general interest to the computer security community. The Special Publication 800 series was established in 1990 to provide a separate identity for information technology security publications. This Special Publication 800 series reports on ITL's research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.

Information Sharing Forums on Cyber Threats

Launched in 1999, FS-ISAC was established by the financial services sector in response to 1998's Presidential Directive 63. That directive - later updated by 2003's Homeland Security Presidential Directive 7 - mandated that the public and private sectors share information about physical and cyber security threats and vulnerabilities to help protect the U.S. critical infrastructure.

The Department of Homeland Security's United States Computer Emergency Readiness Team (US-CERT) leads efforts to improve the nation's cybersecurity posture, coordinate cyber information sharing, and proactively manage cyber risks to the Nation while protecting the constitutional rights of Americans. US-CERT strives to be a trusted global leader in cybersecurity - collaborative, agile, and responsive in a dynamic and complex environment.

InfraGard is a partnership between the FBI and the private sector. It is an association of persons who represent businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the U.S.

Best Practices

The FFIEC Information Technology Examination Handbook is comprised of individual booklets. These booklets represent a series of updates to the existing 1996 FFIEC Information Systems Examination Handbook. They address significant changes in the financial institution technology since 1996.They incorporate changes in technology-related risks and controls and follow a risk-based approach to evaluating risk management practices. The booklets provide valuable information to both examiners and financial institution management.

The Critical Security Controls effort focuses first on prioritizing security functions that are effective against the latest Advanced Targeted Threats, with a strong emphasis on "What Works" - security controls where products, processes, architectures and services are in use that have demonstrated real world effectiveness. Standardization and automation is another top priority, to gain operational efficiencies while also improving effectiveness. The US State Department has previously demonstrated more than 94% reduction in "measured" security risk through the rigorous automation and measurement of the Top 20 Controls.

The SANS Institute was established in 1989 as a cooperative research and education organization. Its programs now reach more than 165,000 security professionals around the world. A range of individuals from auditors and network administrators, to chief information security officers are sharing the lessons they learn and are jointly finding solutions to the challenges they face. At the heart of SANS are the many security practitioners in varied global organizations from corporations to universities working together to help the entire information security community.